Skip to content
Switch branches/tags
Go to file
Cannot retrieve contributors at this time


wgsd is a CoreDNS plugin that serves WireGuard peer information via DNS-SD (RFC6763) semantics. This enables use cases such as:

  • Building a mesh of WireGuard peers from a central registry
  • Dynamic discovery of WireGuard Endpoint addressing (both IP address and port number)
  • NAT-to-NAT WireGuard connectivity where UDP hole punching is supported.

See this blog post for a deep dive on the underlying techniques and development thought.


Binary releases are available here.

Each release contains 2 binaries:

  • coredns - CoreDNS server with all the "internal" plugins + wgsd
  • wgsd-client - A sample client

Building from source

External CoreDNS plugins can be enabled in one of two ways:

  1. Build with compile-time configuration file
  2. Build with external golang source code

For method #2 you can simply go build the contents of cmd/coredns. The resulting binary is CoreDNS server with all the "internal" plugins + wgsd.

% go build
% ./coredns -plugins | grep wgsd

A basic client is available under cmd/wgsd-client.

Configuration Syntax

  • ZONE is the zone name wgsd should be authoritative for, e.g.
  • DEVICE is the name of the WireGuard interface, e.g. wg0
    self [ ENDPOINT ] [ ALLOWED-IPS ... ]
  • Supplying the self option enables serving data about the local WireGuard device in addition to its peers. The optional ENDPOINT argument enables setting a custom endpoint in ip:port form. If ENDPOINT is omitted wgsd will default to the local IP address for the DNS query and ListenPort of the WireGuard device. This can be useful if your host is behind NAT. The optional, variadic ALLOWED-IPS argument sets allowed-ips to be served for the local WireGuard device.


Following RFC6763 this plugin provides a listing of peers via PTR records at the namespace _wireguard._udp.<zone>. The target for the PTR records is of the format <base32PubKey>._wireguard._udp.<zone>. This same format is used for the accompanying SRV, A/AAAA, and TXT records. When querying the SRV record for a peer, the target A/AAAA & TXT records will be included in the "additional" section of the response. TXT records include Base64 public key and allowed IPs. Public keys are represented in Base32 rather than Base64 in record names as they are treated as case-insensitive by the DNS.


This configuration:

$ cat Corefile
.:5353 {
  wgsd wg0 {

With the following WireGuard peers:

$ sudo wg show
interface: wg0
  public key: JeZlz14G8tg1Bqh6apteFCwVhNhpexJ19FDPfuxQtUY=
  private key: (hidden)
  listening port: 51820

peer: xScVkH3fUGUv4RrJFfmcqm8rs3SEHr41km6+yffAHw4=
  allowed ips:
  latest handshake: 14 hours, 24 minutes, 40 seconds ago
  transfer: 840.64 KiB received, 85.54 KiB sent

peer: syKB97XhGnvC+kynh2KqQJPXoOoOpx/HmpMRTc+r4js=
  allowed ips:
  latest handshake: 4 days, 15 hours, 8 minutes, 12 seconds ago
  transfer: 1.38 MiB received, 139.42 KiB sent

Will respond with:

$ dig @ -p 5353 PTR +noall +answer +additional 0	IN	PTR 0	IN	PTR 0	IN	PTR
$ dig @ -p 5353 SRV +noall +answer +additional 0	IN SRV 0 0 7777 0	IN A 0	IN TXT "txtvers=1" "pub=xScVkH3fUGUv4RrJFfmcqm8rs3SEHr41km6+yffAHw4=" "allowed="
$ dig @ -p 5353 SRV +noall +answer +additional 0	IN SRV 0 0 8888 0	IN A 0	IN TXT "txtvers=1" "pub=syKB97XhGnvC+kynh2KqQJPXoOoOpx/HmpMRTc+r4js=" "allowed="
$ dig @ -p 5353 SRV +noall +answer +additional 0	IN SRV 0 0 51820 0	IN A 0	IN TXT "txtvers=1" "pub=JeZlz14G8tg1Bqh6apteFCwVhNhpexJ19FDPfuxQtUY=" "allowed="

Converting public keys to Base64 with coreutils:

$ echo yutrled535igkl7bdlerl6m4vjxsxm3uqqpl4nmsn27mt56ad4ha==== | tr '[:lower:]' '[:upper:]' | base32 -d | base64
$ echo wmrid55v4enhxqx2jstyoyvkicj5pihkb2tr7r42smiu3t5l4i5q==== | tr '[:lower:]' '[:upper:]' | base32 -d | base64
$ echo extglt26a3znqnigvb5gvg26cqwblbgynf5re5pukdhx53cqwvda==== | tr '[:lower:]' '[:upper:]' | base32 -d | base64


  • unit tests
  • SOA record support
  • CI & release binaries